v1.0.0-rc.6

Changelog

• 29ce6de chore: update chart for v1.0.0-rc.6 (#921)
• 199d5cf fix: downgrade goreleaser to last stable version (#922)
• f819c03 fix: publish ratify image with plugin (#916)

v1.0.0-rc.5

New Features

• Introducing support for TLS Certificate Management
  • Adds a custom configuration fetcher for TLS config so that every new TLS connection reads the cert files from disk. You can learn more here and here.
  • Adopt the cert-controller used in Gatekeeper which checks the validation of certificates every 12 hours and generates a new certificate.
  • Design doc is here.
• Update Go to 1.20 to use coverage profiling for integration tests.
  • Helps to report coverage for integration tests. You can find more here.
• Improved error messages from Certificate Store CRD
  • Shortens out the error message to Certificate Store Status. You can learn more here.
• Introduce ability to build external plugins conditionally
  • Updates the dockerfile and tests to be able to select which external plugins to be built. You can find out more here.

Documentation

• docs: update CRD version to v1beta1 by @binbin-li in #844

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin
• OCI 1.0 spec compatability test

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status
• TLS Certificate
  • TLS Certificate Watcher
  • TLS Certificate Rotation

Bug Fixes

• fix: fix go version in build-pr.yml by @binbin-li in #842
• fix: switch to working version of sbom-tool by @binbin-li in #873
• fix: update Azure build steps by @akashsinghal in #882
• fix: update go releaser to use quoted go version by @akashsinghal in #891

Changelog

• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.22 to 1.13.24 by @dependabot in #826
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.23 to 1.18.25 by @dependabot in #828
• chore: Bump github.com/docker/cli from 23.0.5+incompatible to 23.0.6+incompatible by @dependabot in #827
• chore: Bump codecov/codecov-action from 3.1.3 to 3.1.4 by @dependabot in #830
• chore: Bump actions/setup-go from 4.0.0 to 4.0.1 by @dependabot in #829
• chore: bump rekor to 1.1, cosign to 2.0, msal-go to 1.0 by @dependabot in #812
• chore: bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by @dependabot in #832
• feat: upgrade go to 1.20 to use coverage profiling for integration tests. by @binbin-li in #833
• chore: bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @dependabot in #841
• chore: bump k8s.io/apimachinery from 0.26.1 to 0.26.5 by @dependabot in #840
• chore: bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @dependabot in #839
• chore: bump google.golang.org/grpc from 1.54.0 to 1.54.1 by @dependabot in #838
• chore: bump codecov/codecov-action from 3.1.3 to 3.1.4 by @dependabot in #837
• fix: fix go version in build-pr.yml by @binbin-li in #842
• docs: update CRD version to v1beta1 by @binbin-li in #844
• chore: bump github/codeql-action from 2.3.3 to 2.3.4 by @dependabot in #847
• chore: bump github/codeql-action from 2.3.4 to 2.3.5 by @dependabot in #849
• feat: support tls cert rotation by @akashsinghal in #831
• feat: add brief err to CertificateStore CRD by @binbin-li in #846
• chore: bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 by @dependabot in #850
• chore: bump github.com/notaryproject/notation-core-go from 1.0.0-rc.3 to 1.0.0-rc.4 by @dependabot in #853
• chore: bump k8s.io/client-go from 0.25.4 to 0.25.10 by @dependabot in #852
• chore: bump github.com/spdx/tools-golang from 0.5.0 to 0.5.1 by @dependabot in #854
• chore: bump k8s.io/api from 0.26.1 to 0.26.5 by @dependabot in #851
• test: testscript change echo file to printf by @fseldow in #859
• chore: bump github/codeql-action from 2.3.5 to 2.3.6 by @dependabot in #862
• chore: bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by @dependabot in #867
• chore: bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @dependabot in #866
• build: build external plugins conditionally by @binbin-li in #860
• chore: bump github.com/notaryproject/notation-go from 1.0.0-rc.4 to 1.0.0-rc.6 by @dependabot in #864
• chore: bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 by @dependabot in #868
• test: switch to splitted bats test by @binbin-li in #870
• fix: switch to working version of sbom-tool by @binbin-li in #873
• chore: bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #879
• chore: bump github/codeql-action from 2.3.6 to 2.13.4 by @dependabot in #878
• chore: bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.6.0 to 1.6.1 by @dependabot in #877
• chore: bump github.com/spdx/tools-golang from 0.5.1 to 0.5.2 by @dependabot in #876
• chore: bump docker/login-action from 2.1.0 to 2.2.0 by @dependabot in #872
• chore: bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 by @dependabot in #880
• chore: bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 by @dependabot in #881
• fix: update Azure build steps by @akashsinghal in #882
• feat: add cert rotator by @binbin-li in #869
• fix: Azure workload identity fails to refresh token by @susanshi in #883
• test: move cert rotator to plugin test since it will deploy image with plugins by @fseldow in #888
• chore: update chart for v1.0.0-rc.5 by @akashsinghal in #890
• fix: update go releaser to use quoted go version by @akashsinghal in #891

Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5

v1.0.0-rc.4

New Features

• Introducing new dependency metrics
  • Adds metrics and supporting dashboards for registry requests, blob cache hit, AAD exchange duration, ACR Exchange duration, and AKV cert fetch duration. More information can be found here.
• Introducing support for multiple signature report in verifier report for Cosign
  • Cosign allows for multiple signatures to be attached as layers in a single OCI Image. Ratify now provides support to bubble up failures/successes per signature layer.
  • More information can be found here.
• Introducing fixes for ECR Basic Auth registry parse and new notation plugin manager for use with the notation verifier
  • Adds a new plugin manager that can be used with the Notation verifier. It allows users to download notation plugins through the ratify Dynamic Plugins feature to use in verification.
  • Fix an issue with ECR basic auth when downloading objects through the Dynamic Plugins feature.
  • More information can be found here.
• Introducing pre-install hook for Ratify CRs
  • Add pre-install hook to CR templates so that they can skip rendering and only be installed after CRDs are updated.

Documentation

• docs: add cache doc by @akashsinghal in #786
• docs: Update AWS docs to reference notation and IRSA by @byronchien in #824
• docs: Add new notation-validation sample policy by @byronchien in #823

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin
• OCI 1.0 spec compatability test

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status

Bug Fixes

• fix: update notation plugin manager directory by @akashsinghal in #815

Changelog

• feat: add pre-install hook to Ratify CRs by @binbin-li in #772
• chore: Bump github/codeql-action from 2.2.11 to 2.2.12 by @dependabot in #776
• chore: Bump k8s.io/apimachinery from 0.24.12 to 0.24.13 by @dependabot in #782
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.19 to 1.13.20 by @dependabot in #781
• chore: Bump k8s.io/client-go from 0.24.12 to 0.24.13 by @dependabot in #778
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.20 to 1.18.21 by @dependabot in #780
• ci: enforce semantic title on PR by @binbin-li in #783
• docs: update community meeting schedule by @akashsinghal in #785
• feat: add dependency metrics by @akashsinghal in #774
• feat: add multi signature report in verifier report for cosign by @akashsinghal in #784
• docs: add cache doc by @akashsinghal in #786
• chore: Bump github.com/docker/cli from 23.0.3+incompatible to 23.0.4+incompatible by @dependabot in #793
• chore: Bump github/codeql-action from 2.2.12 to 2.3.0 by @dependabot in #792
• chore: Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.4 by @dependabot in #794
• ci: Harden GitHub Actions by @step-security-bot in #797
• chore: Bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #800
• chore: Bump github/codeql-action from 2.3.0 to 2.3.1 by @dependabot in #801
• chore: Bump github/codeql-action from 2.3.1 to 2.3.2 by @dependabot in #802
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.22 by @dependabot in #807
• chore: Bump github.com/Azure/go-autorest/autorest from 0.11.28 to 0.11.29 by @dependabot in #806
• chore: Bump github.com/docker/cli from 23.0.4+incompatible to 23.0.5+incompatible by @dependabot in #808
• feat: ECR basic auth registry parse and add notation plugin manager by @byronchien in #804
• chore: Bump github/codeql-action from 2.3.2 to 2.3.3 by @dependabot in #813
• chore: Bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #814
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.22 to 1.18.23 by @dependabot in #816
• fix: update notation plugin manager directory by @akashsinghal in #815
• chore: Bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible by @dependabot in #822
• docs: Update AWS docs to reference notation and IRSA by @byronchien in #824
• docs: Add new notation-validation sample policy by @byronchien in #823
• chore: prepare chart for rc4 release by @akashsinghal in #825

New Contributors

• @byronchien made their first contribution in #804

Full Changelog: v1.0.0-rc.3...v1.0.0-rc.4

v1.0.0-rc.3

New Features

• CRD version upgrade from v1alpha1 to v1beta1
  • Introducing Certificate Store CRD status, new properties includes IsSuccess, Error, LastFetchedTime properties. More info here.
  • Please note that users of previous CRD versions are now required to delete any Ratify CRDs manually when uninstalling Ratify.
  • More info here.
• Adding cross-region support for AWS auth provider
  • Adds region to the ECR client cfg for call to get AuthZ tokens. Maps retrieved creds to ECR registry host.
  • More info here
• Introducing initial Ratify metrics support
  • Introduces a new metrics exporter and provider implementation based on OpenTelemetry
  • Adds Prometheus as an exporter provider
  • Adds sample Grafana dashboard
  • More info here
• Introducing weekly dev builds and on-demand build request process
  • Cron schedule task that runs every Monday @ 08:30 UTC (12:30 am PST)
  • Also adds a manual workflow dispatch option for Maintainers
  • If you want to request a dev build on demand, you can check the guidelines here.

Documentation

• doc: update Ratify on Azure walkthrough by @FeynmanZhou in #665
• doc: Update quick start with local chart option by @susanshi in #681
• doc: Update doc guidance to use inline cert provider when working with certificate chain by @susanshi in #717
• docs: add support for bridge to kubernetes by @akashsinghal in #736
• doc: add "helm repo update" in README by @FeynmanZhou in #747
• docs: update k8s secrets auth provider by @akashsinghal in #749
• doc: delete CRDs when uninstalling Ratify by @binbin-li in #767
• doc: cert store status doc by @susanshi in #760

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin
• OCI 1.0 spec compatability test

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status

Bug Fixes

• fix: update plugin download logic for oci image support by @akashsinghal in #699
  fix: switch reference normalization to use docker parsing by @akashsinghal in #712
• fix: add cert validation logic to notation TrustStore by @binbin-li in #709
• fix: move azure specific code to azure auth package by @susanshi in #730
• fix: support multi signature verification in cosign verifier by @suganyas in #728
• fix: make notary cert optional rather than mandatory since it is not always required in helm ratify deploy by @suganyas in #733
• fix: pin licensechecker test to specific version by @akashsinghal in #753
• fix: update k8s version matrix for Azure e2e test by @binbin-li in #756
• fix: add time delay for prometheus exporter test by @akashsinghal in #770

Changelog

• chore: Bump k8s.io/api from 0.24.10 to 0.24.11 by @dependabot in #690
• chore: Bump k8s.io/client-go from 0.24.10 to 0.24.11 by @dependabot in #689
• ci: add weekly dev build by @akashsinghal in #679
• doc: update Ratify on Azure walkthrough by @FeynmanZhou in #665
• doc: Update quick start with local chart option by @susanshi in #681
• feat: bump up CRD version to v1beta1 by @binbin-li in #664
• test: build azure e2e test images by @binbin-li in #676
• ci: add commit hash to dev build tag by @akashsinghal in #697
• test: add more unit tests by @akashsinghal in #671
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.16 by @dependabot in #708
• chore: Bump github/codeql-action from 2.2.5 to 2.2.6 by @dependabot in #704
• chore: Bump github.com/golang/protobuf from 1.5.2 to 1.5.3 by @dependabot in #707
• fix: update plugin download logic for oci image support by @akashsinghal in #699
• test: add oci 1.0 fallback e2e test by @akashsinghal in #711
• refactor: Update cert store to a factory pattern by @susanshi in #691
• chore: add dev build guidance by @akashsinghal in #698
• chore: Bump actions/setup-go from 3 to 4 by @dependabot in #715
• chore: Bump github/codeql-action from 2.2.6 to 2.2.7 by @dependabot in #714
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.16 to 1.13.17 by @dependabot in #720
• chore: Bump oras.land/oras-go/v2 from 2.0.0 to 2.0.2 by @dependabot in #722
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.16 to 1.18.18 by @dependabot in #721
• chore: Bump github.com/Azure/go-autorest/autorest/adal from 0.9.22 to 0.9.23 by @dependabot in #724
• chore: Bump k8s.io/client-go from 0.24.11 to 0.24.12 by @dependabot in #723
• fix: switch reference normalization to use docker parsing by @akashsinghal in #712
• doc: Update doc guidance to use inline cert provider when working with certificate chain by @susanshi in #717
• fix: add cert validation logic to notation TrustStore by @binbin-li in #709
• fix: move azure specific code to azure auth package by @susanshi in #730
• chore: Bump github/codeql-action from 2.2.7 to 2.2.8 by @dependabot in #732
• fix: support multi signature verification in cosign verifier by @suganyas in #728
• fix: make notary cert optional rather than mandatory since it is not always required in helm ratify deploy by @suganyas in #733
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 by @dependabot in #742
• docs: add support for bridge to kubernetes by @akashsinghal in #736
• doc: add "helm repo update" in README by @FeynmanZhou in #747
• chore: Bump github/codeql-action from 2.2.8 to 2.2.9 by @dependabot in #746
• refactor: switch retry client to native oras client by @akashsinghal in #745
• chore: Bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #748
• fix: pin licensechecker test to specific version by @akashsinghal in #753
• chore: Bump github.com/go-logr/logr from 1.2.3 to 1.2.4 by @dependabot in #752
• chore: Bump github.com/docker/cli from 23.0.1+incompatible to 23.0.2+incompatible by @dependabot in #751
• docs: update k8s secrets auth provider by @akashsinghal in #749
• chore: Bump github.com/docker/docker from 20.10.20+incompatible to 20.10.24+incompatible by @dependabot in #754
• feat: add initial metrics support by @akashsinghal in #726
• chore: Bump github/codeql-action from 2.2.9 to 2.2.10 by @dependabot in #757
• chore: Bump github/codeql-action from 2.2.10 to 2.2.11 by @dependabot in #759
• chore: Bump github.com/aws/aws-sdk-go-v2 from 1.17.7 to 1.17.8 by @dependabot in #761
• chore: Bump github.com/docker/cli from 23.0.2+incompatible to 23.0.3+incompatible by @dependabot in #764
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.20 by @dependabot in #762
• fix: update k8s version matrix for Azure e2e test by @binbin-li in https://githu...

v1.0.0-rc.2

New Features

• Introduce new plugin support as OCI Artifacts
Adds the ability for Ratify to download plugins from OCI artifacts as they are registered. It eliminates the need for users to build their own Ratify image, hack the Helm chart output and so on. You can find more info here.

• Introduce new code coverage reports by CodeCov on every change.

• Introduce new inline certificate provider
With this release, a new “inline” cert provider has been added here. A PEM-format certificate (chain) can be directly specified.

• Release adds a logr -> logrus adapter sink so that k8s controller-runtime components emit the same output as the rest of the Ratify codebase.

• Introduce support for keyless verification of images signed by Fulcio and stored in Rekor.

• Update workload identity auth provider configuration to consume client id. This allows users to specify client id directly without modifying service account when having to change the ORAS store configuration.

• Introduce support for cosign for auth enabled registries

• Support for OCI Image across all verifiers

Documentation

• docs: add CRD doc template by @susanshi in #627
• docs: add new feature/ideas template by @susanshi in #645
• doc: update doc for Azure Workload Identity setup by @binbin-li in #649
• doc: Verifiers and CertificateStore CRD by @susanshi in #654

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin

Bug Fixes

• fix: add docker domain prefix as default by @akashsinghal in #604
• fix: disable cosign in default chart by @susanshi in #616
• fix: add pod label for workload identity by @noelbundick-msft in #632
• fix: fix broken Azure e2e tests due to cosign update by @binbin-li in #626
• fix: make gatekeeper namespace configurable by @akashsinghal in #635
• fix: remove default notary cert by @susanshi in #634
• fix: remove unused authProvider field in cosign verifier by @akashsinghal in #656
• fix: fix e2e logs by @binbin-li in #657
• fix: retract v1.1.0-alpha.1 by @noelbundick-msft in #677
• fix: pin notation to specific version in e2e test by @akashsinghal in #682

Changelog

• feat: plugins as OCI artifacts by @noelbundick-msft in #519
• test: add local registry support by @akashsinghal in #584
• test: add codecov by @binbin-li in #605
• fix: add docker domain prefix as default by @akashsinghal in #604
• ci: bump up ossf/scorecard-action and actions/upload-artifact by @binbin-li in #609
• chore: Bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 by @dependabot in #614
• chore: Bump github.com/Azure/go-autorest/autorest/adal from 0.9.21 to 0.9.22 by @dependabot in #611
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.10 to 1.13.12 by @dependabot in #612
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.12 by @dependabot in #613
• fix: disable cosign in default chart by @susanshi in #616
• chore: Bump github/codeql-action from 2.2.1 to 2.2.2 by @dependabot in #618
• ci: run build-pr job workflow for each push event by @binbin-li in #623
• chore: Bump github/codeql-action from 2.2.2 to 2.2.3 by @dependabot in #628
• feat: add inline cert provider by @noelbundick-msft in #601
• fix: add pod label for workload identity by @noelbundick-msft in #632
• fix: fix broken Azure e2e tests due to cosign update by @binbin-li in #626
• chore: Bump github.com/emicklei/go-restful from 2.9.5+incompatible to 2.16.0+incompatible by @dependabot in #631
• chore: Bump github.com/docker/cli from 20.10.23+incompatible to 23.0.0+incompatible by @dependabot in #610
• docs: add CRD doc template by @susanshi in #627
• feat: use logrus for CRD manager for common log format by @noelbundick-msft in #636
• chore: Bump github.com/docker/cli from 23.0.0+incompatible to 23.0.1+incompatible by @dependabot in #637
• chore: Bump github/codeql-action from 2.2.3 to 2.2.4 by @dependabot in #638
• test: add docker and k8secret auth provider tests by @akashsinghal in #633
• fix: make gatekeeper namespace configurable by @akashsinghal in #635
• docs: add new feature/ideas template by @susanshi in #645
• fix: remove default notary cert by @susanshi in #634
• ci: let helm generate certs for TLS if not provided by @binbin-li in #585
• test: changes for schemavalidator by @mluker in #607
• feat: add cosign fulcio and rekor support by @sozercan in #615
• fix: remove unused authProvider field in cosign verifier by @akashsinghal in #656
• chore: Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.1 to 1.0.0-rc.2 by @dependabot in #658
• chore: Bump github.com/notaryproject/notation-go from 1.0.0-rc.1 to 1.0.0-rc.3 by @dependabot in #661
• chore: Bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #662
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.12 to 1.13.13 by @dependabot in #659
• fix: fix e2e logs by @binbin-li in #657
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.12 to 1.18.14 by @dependabot in #663
• test: enable debug logging for e2e k8 tests by @akashsinghal in #668
• feat: add client id specification for oras store workload identity auth provider by @fseldow in #667
• test: add e2e test for AKV by @binbin-li in #644
• doc: update doc for Azure Workload Identity setup by @binbin-li in #649
• test: fix azure managed identity client id quote by @akashsinghal in #670
• chore: Bump github/codeql-action from 2.2.4 to 2.2.5 by @dependabot in #675
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 by @dependabot in #674
• chore: Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 by @dependabot in #672
• feat: add cosign support for private registries by @akashsinghal in #646
• fix: retract v1.1.0-alpha.1 by @noelbundick-msft in #677
• doc: Verifiers and CertificateStore CRD by @susanshi in #654
• fix: pin notation to specific version in e2e test by @akashsinghal in #682
• feat: support OCI Image by @akashsinghal in #683
• chore: prepare for 1.0.0-rc.2 release by @akashsinghal in #686

v1.0.0-rc.1

New Features

• Introduce new certificate store and CRD definition

  • A certificate store resource defines the list of certificate to fetch from a provider. You can find more about certificate stores including a sample notary verifier with certificate stores defined here.

• Introduce new Ratify server endpoint and accompanying functionality for a tag to digest external data provider

  • This service endpoint returns resolved digests of any tag provided in the request. Find the design doc here.

• Introduce new request cache lock to enable processing verification once per subject in case of concurrent requests

  • Verification results are cached with a 5 min TTL and refreshed if the cache entry is expired at read time.

• Introduce new cache layer to the ORAS store API to avoid lots of same requests to remote registry at the same time

  • Add cache layer to the ListReferrers ORAS store API with configurable TTL.

• Introduce new configurable logging level

  • Implements configurable log levels via RATIFY_LOG_LEVEL, with the default to the current INFO level. Find the valid options here.

Bug Fixes

• fix: update chart value for keyvault provider by @susanshi in #586
• fix: store crd chart missing managedIdentity oras authprovider by @fseldow in #543
• fix: notice file name for component governance by @sajayantony in #482

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Mutation Provider

Detailed Commits

• Added notes for 2022-jan to 2022-jun by @sajayantony in #476
• chore: bump github/codeql-action from 2.1.35 to 2.1.36 by @dependabot in #479
• chore: update pull request template by @aramase in #484
• fix: notice file name for component governance by @sajayantony in #482
• chore: Bump k8s.io/client-go from 0.24.8 to 0.24.9 by @dependabot in #487
• ci: add semantic.yml by @aramase in #483
• Update devcontainer for latest Ratify by @noelbundick-msft in #491
• update document of oras auth provider for azure managed identity by @fseldow in #427
• chore: add gh issue template by @aramase in #486
• chore: Bump goreleaser/goreleaser-action from 3 to 4 by @dependabot in #495
• Enable verifier plugins to work with store plugins by @noelbundick-msft in #493
• chore: go fmt by @noelbundick-msft in #497
• Adds initial docs for creating plugins by @noelbundick-msft in #496
• Remove executionMode (passthrough mode) by @noelbundick-msft in #494
• chore: Bump github/codeql-action from 2.1.36 to 2.1.37 by @dependabot in #500
• chore: Bump ossf/scorecard-action from 2.0.6 to 2.1.0 by @dependabot in #501
• Add configurable logging level by @noelbundick-msft in #498
• chore: Bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6 by @dependabot in #514
• chore: Bump github.com/Azure/azure-sdk-for-go from 67.1.0+incompatible to 67.2.0+incompatible by @dependabot in #512
• chore: add log level toggle to helm chart by @akashsinghal in #506
• chore: Bump github.com/docker/cli from 20.10.21+incompatible to 20.10.22+incompatible by @dependabot in #513
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.4 to 1.13.5 by @dependabot in #511
• ci: remove markdown file bypass by @akashsinghal in #516
• Update quick start to latest image by @susanshi in #477
• chore: Bump ossf/scorecard-action from 2.1.0 to 2.1.1 by @dependabot in #517
• chore: Bump ossf/scorecard-action from 2.1.1 to 2.1.2 by @dependabot in #522
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.7 by @dependabot in #524
• perf: add http retry client by @akashsinghal in #505
• pin GK to 3.10.0 until breaking changes are merged in and addressed by @mluker in #540
• chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.2 by @dependabot in #532
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.7 to 1.13.8 by @dependabot in #533
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 by @dependabot in #534
• feat: add annotation of configmap/secret hash to ratify pod by @HDYA in #509
• docs: Added meeting notes for 2022-Dec by @sajayantony in #541
• Added maintainers for the Ratify project by @sajayantony in #537
• fix: store crd chart missing managedIdentity oras authprovider by @fseldow in #543
• feat: add JSON schema validator by @mluker in #527
• refactor: Move authprovider to pkg/common/oras by @noelbundick-msft in #520
• Add feature flag support by @noelbundick-msft in #544
• chore: Bump github/codeql-action from 2.1.37 to 2.1.38 by @dependabot in #549
• ci: enable linting with golangci-lint by @aramase in #547
• ci: add gatekeeper version matrix by @binbin-li in #530
• chore: Bump github.com/Azure/azure-sdk-for-go from 67.2.0+incompatible to 67.3.0+incompatible by @dependabot in #551
• chore: enable unused, whitespace linters and fix errors by @aramase in #548
• docs: verify azure cmd doc updates by @joshuaphelpsms in #545
• docs: cheatsheet to get up and running quicker by @mluker in #550
• chore: enable more linters and fix errors (part 2) by @aramase in #552

New Contributors

• @HDYA made their first contribution in #509

Full Changelog: v1.0.0-beta.2...v1.0.0-rc.1

v1.0.0-beta.2

What's Changed

• chore: bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 by @dependabot in #423
• chore: bump github.com/aws/aws-sdk-go-v2/credentials from 1.12.23 to 1.12.24 by @dependabot in #420
• chore: bump k8s.io/api from 0.24.7 to 0.24.8 by @dependabot in #421
• chore: bump k8s.io/client-go from 0.24.7 to 0.24.8 by @dependabot in #422
• chore: bump github/codeql-action from 2.1.31 to 2.1.32 by @dependabot in #425
• Update chart to support azure msi oras auth provider by @fseldow in #424
• bugfix: set ratify default sevice account by @susanshi in #431
• chore: bump github/codeql-action from 2.1.32 to 2.1.33 by @dependabot in #432
• chore: bump everlytic/branch-merge from 1.1.4 to 1.1.5 by @dependabot in #429
• feat: integrate notation-go rc.1 by @binbin-li in #433
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.17.10 to 1.17.11 by @dependabot in #445
• chore: bump sigs.k8s.io/controller-runtime from 0.12.2 to 0.12.3 by @dependabot in #444
• chore: bump github.com/Azure/azure-sdk-for-go from 67.0.0+incompatible to 67.1.0+incompatible by @dependabot in #442
• chore: bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 by @dependabot in #443
• chore: bump oras.land/oras-go/v2 from 2.0.0-rc.3 to 2.0.0-rc.5 by @dependabot in #437
• test: add licensechecker verifier by @binbin-li in #440
• test: add cosign test by @binbin-li in #435
• feat: move trustpolicy to verifier config by @binbin-li in #446
• chore: bump github/codeql-action from 2.1.33 to 2.1.35 by @dependabot in #455
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.3 to 1.18.4 by @dependabot in #461
• configpolicy: do not mutate global artifact type policies at runtime by @noelbundick-msft in #454
• Add Docker identity token support for ORAS store by @noelbundick-msft in #452
• build: bump up notation-go by @binbin-li in #464
• build: bump up to notation rc.1 by @binbin-li in #470
• Added meeting notes by @sajayantony in #467
• Fix CodeQL Issues by @akashsinghal in #462
• Update signature artifactType for notation rc1 by @noelbundick-msft in #469
• Fix/introduce markdownlint by @starlord-daniel in #472
• Fix OpenSSF by @akashsinghal in #466
• test: add e2e tests for CLI and Add-on by @binbin-li in #458
• Prepare for Beta.2 Release by @akashsinghal in #475

New Contributors

• @noelbundick-msft made their first contribution in #454
• @starlord-daniel made their first contribution in #472

Full Changelog: v1.0.0-beta.1...v1.0.0-beta.2

v1.0.0-beta.1

Changelog

• de33a78 #381: allow cosign and notary verifier to coexist (#382)
• 0d30366 Allow Gatekeeper to connect to Ratify using TLS (#370)
• 315b603 Bugfix: set default path for plugin in Crd code path (#417)
• 9ce0e73 Fix mTLS documentation (#414)
• 71daa3a Initial protobuf definitions (#373)
• f85a162 Prepare for release v1.0.0-beta.1 (#419)
• 9051368 Publish crd image on release (#411)
• a4147a5 Remove test image Dockerfiles (#390)
• 8445fd8 [Bugfix] Update chart templates for k8s secrets provider (#418)
• c384b39 add fix to catch error for registries that do not have referrers API (#410)
• ea15f34 bump to latest version (#378)
• 90df4ae chore: bump github.com/aws/aws-sdk-go-v2/config from 1.17.8 to 1.17.10 (#383)
• 34601ee chore: bump github.com/docker/cli (#366)
• ce6a619 chore: bump github.com/docker/cli (#385)
• 4717c6b chore: bump github.com/sigstore/sigstore from 1.4.4 to 1.4.5 (#369)
• 3492712 chore: bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#398)
• 36aff24 chore: bump github/codeql-action from 2.1.28 to 2.1.30 (#387)
• de0d5dc chore: bump github/codeql-action from 2.1.30 to 2.1.31 (#399)
• 9639640 doc: update doc for workkload identity setup (#371)
• 40ef9b5 doc: update docs (#380)
• efb3096 docs cleanup (#403)
• 20beb01 feature: adding initial crds (#349)
• 27f6e93 fix go concurrency oras cache bug (#401)

v1.0.0-alpha.3

Changelog

• 8fa6464 Add Go Routines (#338)
• caed268 Add wrapper for http response with version (#346)
• 82cd521 New test image, fix e2e tests for latest notation (#362)
• 6db4644 chore: bump github.com/Azure/azure-sdk-for-go (#354)
• cc68d36 chore: bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#341)
• afab2f8 chore: bump github.com/AzureAD/microsoft-authentication-library-for-go (#327)
• b4ad9ce chore: bump github.com/docker/cli (#353)
• 386199e chore: bump github.com/sigstore/sigstore from 1.4.2 to 1.4.4 (#347)
• bcb12a3 chore: bump github/codeql-action from 2.1.27 to 2.1.28 (#359)
• 7151621 chore: bump k8s.io/client-go from 0.24.6 to 0.24.7 (#352)
• 36f787b chore: bump ossf/scorecard-action from 2.0.4 to 2.0.6 (#360)
• fdc64ed doc: add missing config (#363)
• 5f85950 feat: bump notation-go from v0.8.0-alpha.1 to v0.11.0-alpha.4 (#357)
• 9fb3143 update chart to new release version (#364)

BREAKING CHANGES

• Support for signatures signed using notation< v0.11.0 is no longer supported. Users MUST delete old signatures and push new ones.

v1.0.0-alpha.2

Changelog

• f72eb6b Add GH Page Sync Workflow (#287)
• 1db0b84 Add OpenSSF scorecards (#330)
• ac4319b Add SBOM to release (#328)
• c13a7ed Add default path for notaryv2 certificates (#291)
• 1cefd21 Adding debug setup information to doc (#300)
• 529dffc Additional GitHub action fixes (#335)
• ce29be0 Cleanup vscode dir (#272)
• 21bbbe5 Config default path (#299)
• 32c03ab Fix and enhance documentation (#271)
• 412bdf7 Update Charts for v1.0.0.alpha.2 (#345)
• 835bd9e Update Documentation For Platform Selection (#316)
• 4e70405 Upgrade to golang 1.19, k8s 1.24.6 (#329)
• 05be298 add goreport badge (#337)
• 0d2c5f5 add managedIdentity authprovider for oras (#312)
• d102b5b adding manual validation md (#280)
• 967e0dd chore: bump actions/checkout from 2 to 3 (#303)
• 41f713d chore: bump actions/checkout from 3 to 3.1.0 (#343)
• 2b1e479 chore: bump everlytic/branch-merge from 1.1.2 to 1.1.3 (#292)
• 1c3cb61 chore: bump everlytic/branch-merge from 1.1.3 to 1.1.4 (#304)
• ede887b chore: bump github.com/aws/aws-sdk-go-v2 from 1.16.14 to 1.16.15 (#311)
• 4af9c0b chore: bump github.com/aws/aws-sdk-go-v2/config from 1.17.7 to 1.17.8 (#332)
• 983b368 chore: bump github.com/aws/aws-sdk-go-v2/credentials (#290)
• 9e15222 chore: bump github.com/aws/aws-sdk-go-v2/credentials (#294)
• 53ba6c5 chore: bump github.com/aws/aws-sdk-go-v2/credentials (#302)
• 4f66bbb chore: bump github.com/aws/aws-sdk-go-v2/credentials (#308)
• 3ac0276 chore: bump github.com/aws/aws-sdk-go-v2/credentials (#333)
• eba0ebd chore: bump github.com/docker/cli (#305)
• 3322d45 chore: bump github.com/sigstore/cosign from 1.12.0 to 1.12.1 (#320)
• 248e51b chore: bump github.com/sigstore/sigstore from 1.4.1 to 1.4.2 (#325)
• 9fd4ca6 chore: bump github/codeql-action from 2.0.4 to 2.1.26 (#334)
• 8f06f29 chore: bump github/codeql-action from 2.1.26 to 2.1.27 (#340)
• 240aabc chore: bump k8s.io/api from 0.24.3 to 0.24.4 (#296)
• 543b77e chore: bump k8s.io/api from 0.24.5 to 0.24.6 (#318)
• d89fa35 chore: bump k8s.io/apimachinery from 0.24.5 to 0.24.6 (#319)
• 5a121d9 chore: bump k8s.io/client-go from 0.24.3 to 0.24.4 (#295)
• 917b13c chore: bump k8s.io/client-go from 0.24.4 to 0.24.5 (#310)
• 9086f47 chore: bump k8s.io/client-go from 0.24.5 to 0.24.6 (#321)
• ff3afe6 chore: bump oras.land/oras-go/v2 from 2.0.0-rc.2 to 2.0.0-rc.3 (#306)
• 79c9870 chore: update github/codeql-action
• 7ec5745 doc: update quickstart-cli to use oras attach instead of oras push (#298)
• aefe597 fix configmap aws auth provider (#317)
• 924b20c fix openssf versions (#331)
• 08860d1 new CodeQL action (#336)
• fa582f2 updating and cleaning up dependencies (#313)
• 0691795 upgrade oras and artifact spec to rc2 (#285)
• d00f9ab upgrade to go 1.18 (#286)